CyberMed Summit Addresses Fears of Hospitals Getting Hacked

You’re working your usual shift in the ED when you are called upon to take care of a patient with atrial fibrillation and a rapid ventricular rate at 190 bpm. Her blood pressure is a little soft, but she does not require cardioversion yet. As your nurse starts to mix and hang the diltiazem you ordered, you begin your point-of-care ultrasound of the patient’s heart. Suddenly, you notice that the bag of diltiazem has been bolused in its entirety into the patient’s vein over the course of a mere 10 minutes. Your nurse looks at you with shock and horror. “I didn’t do that doc!” she screams as the patient’s blood pressure and heart rate drop to fatal numbers. Just as you begin giving medications in an attempt to reverse the effects of the calcium-channel blocker overdose, your jaw drops. You see several other medication pumps in adjacent resuscitation bays start doling out entire bags of medications as well!

This may sound like a sci-fi thriller, but security researchers have shown that pacemakers, insulin pumps, and other medical delivery systems are vulnerable to cyber attack. To play out these nightmare scenarios and learn from them, the University of Arizona hosted the first ever CyberMed event in Phoenix last June. The two-day event brought together 155 clinicians, policy-makers, security researchers, and industry insiders to watch dramatic simulations and discuss the grave threat that hacking poses to today’s healthcare delivery.

Just weeks after the summit, new ransomeware known by some as “Petya” quickly spread to countries around the world, including the United States, with hackers holding computers hostage for payouts. Last January, Hollywood Presbyterian Hospital in Los Angeles paid out $17,000 after hackers took control of its computers. “We went from being prone and prey with no predators to now a little blood in the water,” cybersecurity expert Josh Corman told ABCNews. “Hospitals and health care went to the No. 1 targeted industry last year, in less than one year—so our relative obscurity is over.”

Not scared yet? Last month, a worldwide cyberattack by a ransomware called WannaCry not only hit computers but also storage refrigerators and MRI machines, shutting down 65 hospitals in the United Kingdom.

The FDA has been urging manufacturers to update their products’ security measures since at least 2013. However, agency guidelines issued last year are not binding, and the FDA does not review the vast majority of cyber security updates made to devices under its own rules, which are intended to streamline medical device upgrades.

In a collaborative effort to increase awareness of such cybersecurity threats in healthcare, doctors Teresa Wu, Jeff Tully, and Christian Dameff worked to create a simulation-based conference focused on creating awareness of the issue and finding solutions. Josh Corman, Director of the Cyber Statecraft Initiative at the Atlantic Council’s Brent Scowcroft Center, and Beau Woods, founder of the grassroots computer security organization “I am the Cavalry” and Deputy Director of the Cyber Statecraft Initiative, further aided the team.

“Simulation is an incredibly powerful learning modality, particularly for the rare or novel situation requiring specialized responses,” says Dameff. “It also allows the translation of theoretical or conceptual problems to ‘real’ patient physiology and care. Designing and executing the first ever simulations of patients affected by compromised medical devices allowed us to take the work performed by security researchers in the laboratory and demonstrate what that may look like to the ER doc and team who will have to care for the patient who rolls in with a hacked AICD or insulin pump.”

Three physicians with no foreknowledge of the simulation were selected by Dameff and the team to act as “unwitting physicians,”—one for each scenario. Each physician was called to do damage control post-cyber attack, assessing and caring for critically ill patients targeted by hackers across the globe. Actors portrayed patients and real paramedics served as support staff, responding to the attending doctor’s directions. Each scenario involved a compromised device based on research: a medication infusion pump dosing the full quantity in minutes, a wearable insulin pump causing the wearer to go into a coma and crash a car, an a hacked pacemaker eventually causing cardiac arrest. Thirty-five attendees viewed the simulation from behind one-way glass; the rest viewed a live stream from down the hall.

As Dameff explained, in each scenario when something grave happened, the lights would be turned off, freezing the simulation, as the human patient would be replaced by a high fidelity simulation mannequin that could blink, sweat, and cry. Outside the room, Dr. Wu was the wizard behind the curtain, using a computer to control the mannequin based on what the physician did, increasing heart rate, stopping breathing, etc.

None of the physicians realized that the equipment was hacked, but all of the patients ultimately survived. Doctor Anne-Michelle Ruha’s patient was in a rapid atrial fibrillation. “When his heart rate and blood pressure began to drop, I assumed it was related to his primary condition, until I discovered an entire bag of diltiazem had infused in minutes. Despite knowing the theme of the conference, it did not occur to me that hacking of the infusion pump had occurred–I assumed human error,” she said. Of course, her focus was then on treating the calcium channel blocker toxicity. Once her patient was stabilized, she learned about the hacking.

“I think in a real-life situation the physician deals with the ‘What went wrong?’ question after the patient is stabilized, and I don’t think knowing what happened would have affected my treatment,” said Ruha. “However, I do think it is important to be aware of the possibility because if I had seriously suspected hacking, I would have instructed the nurses to set the infusion pump aside and not use it for anything.” Ruha added hacking really never crossed her mind in the past, and she’s glad to now be aware of the potential problem. “I still don’t think I would be likely to consider it if something like this occurred with a single patient, but if several pumps ‘malfunctioned’ simultaneously, hacking would now be the first thing I would think of,” she said.

“We had to design and create a clinical environment and patient scenarios that enabled our physicians and audience members to suspend disbelief,” said Wu, who is the Simulation Director at the University of Arizona, College of Medicine-Phoenix and also for the national American College of Emergency Physicians. “Our scenarios were so realistic and engaging that audience members almost jumped right out of their seats to help the physician and team members caring for the affected patients,” she said.

“Part of the problem is, as physicians, we are trained to rely on a vast array of technologies to assist us in the care of our patients,” said Tully. “From decision support tools to actual implantable medical devices, we have an implicit trust in such technologies that they will do what they are intended to do without need for additional scrutiny or oversight. We are now entering a world where such trust without vigilance and verification may become negligent. We need to prepare for such a practice environment.”

The summit was the first ever simulation of cyberattack in medicine, and attendee feedback was 90% “extremely satisfied” and 10% “satisfied.” The team hopes to expand the conference nationally and even internationally. Wu, who has been creating, designing, and running medical and surgical situations for more than a decade, hopes people will start to understand just how dangerous and unpredictable these types of cyberattacks can be.

“We wanted folks to walk out of the sessions amped up and ready to make a difference. I think we achieved our goals and so much more with our CyberMed Summit,” she said.

For more information about cyberattacks in medicine and patient care, follow these doctors on Twitter: @TeresaWuMD, @CDameffMD, and @JeffTullyMD.